Earlier this month, I had the privilege of hosting a virtual panel discussion where we brought in experts from Charles River Associates, Kirkland & Ellis, Fasken and Tanium to discuss the challenges law firms face and recommendations on safeguarding internal IT assets and defending against attacks.
It was an insightful and spirited discussion where we provided perspectives from four different vantage points from a law firm CISO, external cyber counsel, incident response advisory, and technology provider.
Walking away from the discussion, you’ll get a better sense of best practices in dealing with the inherent challenges of safeguarding law firms, cyber hygiene, IT asset and application visibility, sensitive data awareness and management, threat mitigation and breach remediation, and bridging the gap between IT operations and cyber, security, and risk teams.
To take advantage of this information, check out the full transcript below or watch the 60 minute video here:
Title: Combating IT & Cyber Challenges Facing Law Firms – A Panel Discussion
Chief Security Officer (CSO) for Kirkland & Ellis LLP
Counsel at Fasken LLP
Vice President, Cyber Threat Detection & Response at CRA
Associate Principal, Forensic Services Practice of CRA
General Counsel at Tanium
VP, Office of the CISO, Tanium
Shawn Surber: Welcome everyone to this webinar regarding IT and cyber security / cyber hygiene challenges facing law firms today.
My name is Shawn Surber. I’m Vice president of technical solutions from the office of the CISO at Tanium, and we’ve got an excellent panel today here ready to talk to you about some specific case studies, some best practices and what can you do to really help enable your environments to protect your internal IT assets and defend yourselves against attacks from threat actors.
We will talk about why law firms are prime targets for threat actors, what kind of data we’re talking about here. And then, like I said, give you those tactical and strategic recommendations for improvement and so forth.
So, to kick things off, let’s just go ahead and have everyone do a quick round of introductions so you know who’s on your panel today. So, we’re going to start off with Arlan McMillan – CISO at Kirkland & Ellis LLP.
Arlan McMillan: Great good morning. Thank you for having me CISO for Kirkland and Ellis. Prior leadership CISO at United Airlines City of Chicago. And I think it’s about 25 years now in technology and security.
Ellen McDonald: Hello and welcome to this panel and thanks for including me. So, I’m Ella McDonald. I am the general counsel at Tanium. I’ve been a lawyer for many, many years and worked previously in law firms including Orrick, Herrington & Sutcliffe.
Daanish Samadmoten: Morning everyone. Hi, my name is Daanish. I’m a lawyer at Fasken Martineau DuMoulin, we’re a law firm in Toronto. I frequently act as a breach coach in respect of cyber security matters.
Aniket Bhardwaj: Thanks Shawn, good morning everyone. Thanks for having me myself Aniket Bhardwaj. I’m the Vice President in our incident response and threat detection services here at Charles River Associates and we work with clients with respect to helping them respond to incident response, respond to breaches as well as working with them from pre incident perspective to help improve their cybersecurity posture.
Carlo Lakay: Thanks Shawn, good morning everyone. My name is Carlo Lakay. I’m an associate principal at Charles River so see it’s I have been involved in forensics, incident response, cyber security for several years.
My primary role is supporting Aniket in assisting clients in improving their cyber security posture as well as investigating cyber incidents.
Shawn Surber: Alright wonderful, well thank you all for joining us today and we’re just going to launch right into it because I know everybody wants to get to the meat of the subject.
So Aniket and Carlo, we’re going to kick things off with you. So, from a consulting POV, what do you see as the critical gaps in cybersecurity for law firms that most need addressing?
And would you please walk us through some case studies? I know you are interested in talking about Panama Papers. Some of the notPetya activities and Accellion use cases to illustrate those points.
Aniket Bhardwaj: Absolutely, so as you know, we are now being hit by security incidents from financially motivated and state sponsored threat actors. This is a serious issue and as a community we have to address it.
The question really is how seriously are you taking it? I mean obviously there are numerous tools available in the marketplace for organizations to solve the problem and stay ahead of the curve and reduce the risk of cyber attacks.
The reality in our opinion is quite different. The problem from our perspective really lies with the fact that the basics are not being done right.
Organizations does not have complete visibility on the users and the assets which are in use. There’s always a set of servers or systems lying in an IT closet which are either not visible in most cases and hence left unpatched. Or, as I said earlier, not visible to the to the administrators.
So, from our investigations we are seeing use of vulnerable systems and applications not visible to the teams and that is actually creating a serious challenge at a fundamental level.
Those vulnerable applications on unmanaged systems really leads to the perfect playground for threat actors to compromise the environment. In reality, those unpatched systems and missing vulnerabilities is what the thread actors are exploiting.
Now to contextualize the issue around patches not being applied, let me draw your attention to two major incidents.
The first one is the notPetya ransomware five years ago in 2016 and the second one is the Accellion database compromised by threat actors due to another known vulnerability.
The common theme across both incidents is that patches were released at least months before they were actually exploited by these threat actors.
We actually saw a similar theme in the Kaseya MSP compromise last month earlier this year. But again, we could have reduced the damage they brought to the organizations had these security hygiene was up to date.
Now the fundamental issue I will once again highlight is the basics are not being done right, so what’s the solution?
Well, let’s get the basics right by maintaining a solid cybersecurity hygiene of the environment and we will discuss throughout this panel some of the key recommendations and strategies to really deal with those areas, but for now, I’m going to let Carlo walk you through the Panama Papers case study at a very high level to discuss what really went wrong, how the whole incident could have been avoided.
We will then also discuss how security hygiene plays a crucial role in then reducing cyber security related risks so over to you Carlo.
Carlo Lakay: Thanks, Aniket. Just add that so the Panama Papers is a well-publicized cyber incident that occurred during 2016.
Now I could talk at great length about this topic, but in the interest of time I’ll be providing a brief summary of the incident and go a bit into what went wrong. A few reasonable steps any law firm or any organization could have taken to reduce the risks that lead to cyber incidents.
So, what went so horribly wrong that led to this breach could only be described as a failing through applied good security hygiene, as Aniket mentioned, and good security hygiene is ultimately the foundation of a successful incident and threat management program.
So, the Panama Papers technically referred to approximately 11 and a half million confidential privileged documents that were leaked from a Panama based law firm as a result of a cyber incident. These leaks comprised about 2.6 terabytes of data including clients privileged and confidential information in emails, database files, PDFs, text documents, etc.
The security gaps that led to this incident are some areas of basic security hygiene that were lacking:
• They had several hygiene issues, such as seriously outdated, vulnerable public-facing web framework and other public-facing systems that hadn’t been patched.
• They had an updated version of Oracle Software that exposed their internal databases.
• They had exploitable SQL injection vulnerabilities, and researchers found at least four different variants of remote access Trojans or what we call ‘rats’ in their in their environment when they did the incident analysis
And unfortunately, such incidents are not unique to this Panama based law firm. As Aniket mentioned, there were recent incidents a lot closer to home with notPetya and Accellion.
So to summarize, the Panama instance, there was a clear lack of visibility across the estate with missing patches, multiple vulnerabilities, flat network with poor segmentation, and no endpoints or threat detection capabilities in their environment. And such an environment from a threat actors perspective at least is the ideal low hanging fruit target for them, and this could just have been prevented by applying some basic security hygiene that Aniket’s going to elucidate on a bit further.
Aniket Bhardwaj: Thanks Carlo. So, as you can see, the impact is really huge, huge, huge impact for something which could have been avoided.
Now you all might be wondering how can we solve this serious challenge that we are facing right now? So let me just walk you through quickly, very high level four items from the perspective of maintaining good security hygiene:
1. Maintain complete IT asset visibility – knowing what computers, systems and software are running on your network and really asking yourself who owns, manages and maintains them very high level.
2. Tactical risk management – really testing the compliance and not just a checkbox NIST assessment. That’s something we see very common across the industry that, yes, we have done a NIST cybersecurity assessment but then in the end they are still getting compromised. So, it’s really kind of like taking the tactical approach and then mapping those findings to a tactical framework. So, a little bit of a hybrid approach from our perspective. So, question you could be asking is “yes, we do have the patch management process, but are you testing the effectiveness of patch management process?” So, trust but verify.
3. Sensitive data protection – focus on visibility around activities that also helps address the risk of insider threats. Some questions you could ask “do you know where sensitive data resides in your environment? Is it being accessed by only the appropriate people or are you seeing any other activities in there as well? Can you then ultimately detect and prevent it from leaving your control?” So, kind of like tying those three items together
4. Effective incident response – are you then able to mount an efficient and effective response to a cyber crisis? Do you really have procedures and resources in place to be able to then address an incident?
So, keeping those four things in mind brings me to the quick wrap up from our perspective and going back to the theme that we have been talking around here is organizations really need to work towards by getting the basics right and essentially maintaining full visibility on the assets, the endpoints, the servers and systems, and really establish a good cyber hygiene from our perspective.
Again, as we have to remember this, we can only protect what’s visible and hence the focus on maintaining complete visibility.
So back to you, Shawn and thank you again.
Shawn Surber: Well put gentlemen, now it’s really interesting to me as a cyber security practitioner for close to 20 years that these incidents from five years ago are still so relevant today. The events keep happening and it often takes months or years to fully understand the impact of them.
So cyber security is at the forefront everywhere. It’s on everybody’s mind. It’s at the board level, it’s at the partner level, right? But we don’t see wholesale improvement in cyber hygiene in most organizations.
So, Arlan let’s continue on with you. So, what do you see as some of the most pressing challenges facing law firm CISO’s today?
Arlan McMillan: Sure, so you know some of the biggest challenges you know, at the most fundamental perspective of challenges within law firms. And you don’t see this so much with your AmLaw 20 or even with AmLaw 50. Going to see it perhaps a little bit below that, and that is just fundamentally appreciating, that while these are law firms they’re also highly dependent upon and are in many ways technology companies. Right?
The grounds have shifted and I think most people really appreciate that today, but they actually putting that appreciation into action. Actually making the investments, prioritizing the work necessary is a, I think some areas where some law firms struggle with.
Now, each individual law firm is going to have their own individual reasons why that’s so, but I think there is a through line there outside of the AmLaw 20. Now, we broaden that out, some of the specific things are a little bit more tactical threats that law firms face.
Number one is accidental disclosure. You know there’s a phrase when you hear hoof beats. Don’t think zebras think horses. You know zebras is the cyber, but horses is typically the reality. Most bad things happen because of accidents, not because a hacker from out of the country or in somebody’s basement.
So accidental disclosure – getting everything all of your people/process/technology wrapped around to ensure that data is properly managed, tagged, handled, and that everybody is trained on good practices is a hugely important place to start.
We could talk about ethics, model clauses, say from ABA saying these are things you need to be doing anyway. You can tie it back to that, but beyond that there’s a lot of good practices to get your hands around the operational aspects.
If you want to shift over to a threat perspective, there’s two main types of motivations. You can slice it and dice it a little bit deeper, but at a high level two main motivations: one is to monetize your information or your systems. Or the other is espionage and that could be state sponsored or industrial espionage and depending upon where you are in the world, those are one in the same.
Now, these may sound a little ‘007’, they may sound esoteric, but they’re not. They are absolutely happening frequently to organizations around the world, including law firms.
So, from a monetization how do you see that? Well, you see that in ransomware, everybody’s been hearing about ransomware. Their primary goal is to make money off of taking your data in system hostage, while their secondary goal is to also make money off of the data that they’ll they’ve taken out of your organization that they have access to. And if you don’t give them what they’re asking for, a negotiated price, well then they release all this information and try to embarrass you and your clients.
Any law firm that can’t demonstrate that they are maintaining the confidentiality of their clients is going to struggle.
On the monetizing, do you have any PII? If you have any credit card information or personal information as part of litigation, for example, that will be something that bad actors are interested in.
So going over to industrial espionage, it is well-known and the intelligence agencies have been saying this. US, British and all the big Five Eyes have been saying this for a long time. There are various nation states out there that are aggressively pursuing the theft of information and data from all different types of organization sectors and sizes.
Law firms are included. You are representing a client where a nation has interest in that technology or sector, consider that you are at risk of being targeted. You the law firm. It’s not just that industry, it’s just not that fine.
So that’s industrial espionage. That’s nation state actors. It’s a variety of others. There’s a denial of service from activists or hacktivists this you may be representing a client that isn’t fondly recognized in the media. And then hacktivists will come after you to embarrass you. There are others as well, but they’re a little bit lower on the food chain.
Again, monetizing and industrial espionage are my top 2.
Shawn Surber: Alright, thank you Sir. You call out a good point. You know, I’ve heard it said for years that “hey, we’re all in IT now” you know. In other words, IT security is everyone’s responsibility.
It’s one of the reasons organizations spend so much time, money and effort on educating the employees. But the problems remain.
I’ve always taken the perspective of educate the employees, but then back that up with effective technical controls because we’ve got to provide that because it’s going to happen, right?
So Daanish and Aniket with regards to the Panama Papers example, do you think that the lack of the cyber security and data protection controls are indicative of challenges facing the legal industry overall?
Aniket Bhardwaj: Yes, as I briefly alluded to earlier, from our response to a range of cyber incidents globally what we have seen is, kind of like what’s the fundamental reason at the end of the day, the compromise really happened and I think what we are really seeing is – I’ll go back to my the point that I made earlier – you do have unpatched or unpatched systems or servers lying within your environment or third party applications and then vulnerabilities which then introduce additional risks.
So, from a threat actor perspective, you know once they gain foothold in your environment, and I think we have been hearing this since years, let’s assume the compromise is going to happen. Like if you are dealing with a state sponsored entity, they will come up with ways to kind of like compromise the environment.
Now, the question really becomes, how soon can you detect them? Or can you create not much of an attack surface for them so that they are then successfully able to compromise the systems and the user accounts?
So, at a very basic level – that’s why I mentioned earlier – you know the basics are not being done right? That’s our general discovery out there. You can spend millions of dollars in a range of different tools, analytics, SIM platforms, log aggregation or log collection, and then putting nitty gritty teams around the overall systems from a global perspective.
But again, if there are our vulnerabilities which are not being addressed for months or days, that is creating a window that the threat actor is really going after and I’ll give a quick example before I turn it to Daanish.
As you remember, literally last month the Kaseya MSP breach the vulnerability was again addressed or released in the public April 3rd. Now you go back three months down the line July 3rd, so they had roughly three months to address it, and again, I’m not saying necessarily with the fact that, but that’s a common issue we are seeing in general, not just with them, but greater than 85% of the organizations globally.
So that from our perspective is the is the real challenge that we are facing. We need to go after the patch management process very, very carefully. Obviously, you don’t want to bring down your systems by applying a patch which could introduce additional risks so it’s really around balancing your visibility or patch management process and tying it back to a process that you can track on a routine basis.
Over to you, Daanish.
Daanish Samadmoten: Sure, thanks.
So back to Shawn’s question I think that the challenges that face law firms are the same challenges that faced any organization, but they have additional ones as well. Some of the ones that Arlan mentioned.
You know you are also going to be targeted if your clients are involved in something in particular. So even ten years ago there was a reports of major law firms in Canada being targeted as a result of a deal for a large agricultural company that was being targeted. They had used their law firms to obviously do the sale transaction and there were reports that Chinese state associated actors hacked those law firms to try to find out information about the deal, either maybe for competitive reasons to make their own bid, or for whatever reasons.
So, that’s ten years ago now. That’s a long time.
Panama Papers is another example, right? Law firms hold sensitive data beyond just their own. Most organizations only hold their own employee data or some vendor or other data but law firms are data houses in a way. We hold data for everybody, and confidentiality is one of the key tenants of being a lawyer as people expect confidentiality with their lawyer. Obviously, you know most prominently in the criminal perspective if you’re charged with the crime you want their confidentiality, but also in a business perspective. If you can’t trust your lawyer, who can you trust, really?
So, I think the top challenges facing law firms are additional beyond the ones facing most organizations, but they are also the same and as Aniket said, just on a broader perspective, most organizations face just the basic issues, right? And alluding back to what Shawn said, human error is always going to happen and what Arlan said, accidental things are always going to happen. It’s really about how you respond and how you limit the impact of what might happen.
And in addition, most organizations have privacy law obligations, for example, to report incidents to government or to regulators. But law firms have additional obligations as regulated professionals, so we have rules of professional conduct that we must follow, and those rules of professional conduct include reporting to our clients in certain instances. So, in Ontario, for example, where I practice the Law Society of Ontario Rules of Professional Conduct has a rule that says you must report any material error or omission that may damage your client to your client, and then you must tell them that they can seek independent legal advice and that you may no longer be able to act for them.
So, unlike most organizations would just have to report an incident to somebody or to a regulator, and then that’s sort of it. You have to, as a lawyer, tell them that they might want to seek someone else to hire someone else. You might not even be able to act for them anymore, given what you know given what has happened.
So, I think a breach of confidential information arguably is going to fall under that kind of obligation. And, I’ve acted for many law firms in respect of cyber security incidents, and oftentimes that’s the view they have taken and I think the view that a regulator would take and obviously I don’t know every single professional rule of conduct in every single jurisdiction, but I think that most of them are going to have a similar rule to that effect. So, it’s certainly an additional challenge that lawyers face that other organizations are not going to face.
So, I think it’s something we all need to focus on, not just the lawyers but everybody.
Shawn Surber Yeah, yeah, absolutely. And you’ve really nailed some key takeaways there guys.
And, combining it back with Arlan’s point as well when you’re talking about industrial espionage and nation state actors, they’re going to find a way in. They have sophisticated tools and techniques and access to resources that that your average hackers couldn’t even dream of.
So, minimizing that attack surface and access to all of that internal data and client data is absolutely critical and you have to combine that with the ability to detect those malicious activities as they happen regardless of the attack vector and sophistication of the tools being used. It means that we need a whole new approach to detection and isolation beyond kind of the signature-based stuff that we’re all used to in the past.
So, taking that to the next level, Daanish and Arlan together. What are some of the best practices that you guys can share for addressing the needs for lawyers that have to have immediate access to all of these sensitive documents, all this privileged information, even while they’re working in distributed and often insecure work environments.
Daanish Samadmoten: There’s a lot of basic things going back to what Aniket had said, right? Basic things that we as lawyers or we as just individuals in the modern world could do to prevent or to have best practices.
So, one thing that I try my best to do, for example, whenever a client is going to send me a sensitive piece of information I asked him to password protect it if they’re going to send it by email and then send the password in a separate email so that it’s not in the same email. Or, if they’re going to send it to me then send it via secure file transfer or some other way because I think people use the email so regularly like I probably send 500 emails a day that you just get used to trusting that it’s secure.
And, hopefully most of the time it is secure but in that situation where it’s not, having password protected files can be really important because one of the most common types of cyber security incidents I deal with is email compromise which is a very common one because human error is very common, right? People sometimes just click a link they shouldn’t click. Maybe it comes from a trusted person. Maybe someone you know has been compromised.
I’ve had emails from other lawyers on other sides of cases that I work on, who I know should be emailing me about the case that I’m working on, who have been themselves been hacked and then email me “hey, we’re going to court, open this document”. If I didn’t think twice about that it’s kind of weird that they’re just emailing me a link to open this document, but I know that person is not like a total random stranger. I know who they are and there are many cases where people will click something and then enter their password to download a document, or whatever, open a voicemail from someone they expect and then your email will be compromised and sort of the biggest legal concern that comes in those cases that often times, at least in my experience in these cases, when a hacker compromises your email, they may download the whole email account or synchronize it to their own computer because of the way they’re logging in using these, what we call legacy protocols as I understand them.
And so, what that means is that even if you kick the hacker out of your email by changing your password or something else, they theoretically could have copies of all the attachments your clients have ever sent you. And, if those are not password protected then they can just open the attachment like any regular like you could.
Arlan McMillan Yeah, yeah, absolutely yeah, yeah, email compromise is very significant. Real. Happens frequently, and I’m going to make a recommendation Daanish to change your procedures here. Don’t send the password in the email because bad guy has downloaded. He now has both the document and the password so text the password. Send the document, text the password.
I think maybe that’s one thing I should have added at the top of the conversation. One of the biggest challenges for law firms it is how to work.
Email is an inherently insecure communication channel. Inherently. And yet attorneys breathe through email. They live and die in email. So how do you create an environment where you have all of this data in one place. It’s difficult to secure and maintain everybody’s confidentiality and security is a challenge. There are variety of ways that you can do that.
How do you do this in a mobile world is interesting. It’s not only a mix of technologies, it’s also a mix of procedures. One of the most important procedures you can implement is separate work and life. What do I mean by that? You have your work computer. Only do work things on that computer. Everybody has a phone you can get your email, your personal email on your phone. You don’t need to get your personal email on your computer. I appreciate it some more convenient, but you don’t need to do that. If you are doing that, you are increasing the risk of compromise of your computer and thus the compromise of your firm.
So that’s a procedural aspect, so there’s both technology and procedure. You know there’s a whole host of top five, top 10 things from a technology perspective.
Earlier it was Aniket that mentioned about cyber hygiene. Patch your systems. Number one thing, Patch your systems. Well, to patch your systems you have to know what your systems are. You have to have visibility. You have to know your hardware. What do you have on your network or computers to have in your network? What software are those computers running? So, to do patching well – which is the number one thing you need to do well – the precursor to that is, you have to know what’s out there. You have to have that visibility.
Daanish Samadmoten: Yeah, and I just one thing to add I guess back to a subpart of Shawn’s question about working in a distributed environment. Obviously, the pandemic has led to more people working from home than ever before. You know I wouldn’t say working from home was a regular part of my life prior to the pandemic and will likely be probably the main thing I do from now on, but that means that there were a lot of companies out there allowing their employees to work remotely in ways and brush data bit because they had too and they need to get needs to do business at the beginning of pandemic.
And so, obviously what that means is if you’re allowing employees to come into your environment remotely, then someone else theoretically could come in remotely too. And so, there are things you need to do to protect that. I’ll leave it to the technical experts about what those things are, but you know there are certainly challenges that have come from this new world of working remotely in a distributed environment and many people you expect to continue to work remotely for the foreseeable future.
I probably will not be going back to the office five days a week, so certainly something I think about going forward.
Shawn Surber: Speaking as somebody who’s worked remotely for close to 15 years now. It’s obviously top of mind for me. It’s like I always need to have access to what I need to have access to. I want it to be a seamless as possible, as quick as possible. I want to jump through as few security hoops as possible, yet we absolutely have to have those things on there. You know, the VPN’s, the SaaS solutions, the portal solutions, everything has to be very carefully evaluated. And the more load you put on them, the more risk. The more users that are on them.
And Arlan, you mentioned patching and I wanted to highlight that when we’re talking about those fundamental controls, oftentimes people think of in terms of patching as being operating systems, right? I need to patch my Windows version and things like that, but applications especially web applications and that sort of stuff when they’re vulnerable, they’re just as dangerous. They provide just as much access to the malicious actors as those operating systems. So, staying on top of not just what your hardware is, what your OS is, but also what all of the software in your environment is, what version it is, and being able to do that extremely regularly so that you can always have a good view of your environment is really critical.
Arlan McMillan: Absolutely. Can I give two examples to that Shawn, very quickly? Experian. I think that was about three years ago. Experian breach was due to a website running at one of their websites, had some software running on it that they hadn’t patched. That wasn’t the operating system of that server running the website. It was the server running an application that wasn’t patched.
Let me give you a more recent one, and I’m forgetting the name of this software and perhaps the vendor is happy I’m forgetting the name, but there’s a vendor in the law firm space. Very popular, widely used, used to share files remotely. I think it was Accellion. Yeah, right so that’s a third party system that is used by many, many law firms. And that system had some vulnerabilities in it. Now we can talk about how they were trying to get all their customers off that old platform onto their new modern platform. We can give a lot of defense to Accellion, but the fact is customers were using this version and it was an insecure platform. Led to significant breaches. City of Chicago was involved in that breach. Bunch of private information from the city. If I was still there…but besides that! But I just wanted to give those two examples, Shawn.
Aniket Bhardwaj: Real quick Shawn, and I think I’ll probably draw a quick example from the perspective of best factors like to your question earlier, the Australian Signals Directorate, which is the government arm for Australian community, they actually have what they call the Essentials 8, I mean the whole list is actually essentials 35 so anyone can Google Essentials 8. And what they really talk about is application control. Patching your applications. Make sure you are configuring the Microsoft Office macro settings in an appropriate manner. User application hardening. Restricting the administrative privileges. I think then there’s around patching operating systems and then finally multifactor authentication and backups.
So, as you can see, these are very basic/minimal things, which I think from the perspective of where organizations can start. That’s actually a pretty good list to go after quite tactically, and then start taking the items one by one depending on the overall maturity model you are targeting in the end.
So just kind of like your question together, so I wanted to bring that up.
Shawn Surber: Yeah, yeah, absolutely. And whether you’re looking at the Essential 8 or if you’re looking at the CIS top controls, they all fundamentally circle around exactly the same thing. Know what you have on your environment, patch it, scan it regularly, ensure you’re controlling administrative privileges because those are the ways that the bad guys are going to get in.
And the partnerships there that that you were calling out Arlan and the supply chain attacks that have come into play recently along with this massive upswing in ransomware attacks, create additional vectors. Additional things that you need to be concerned about, and one thing that I do also want to call out is that ransomware everyone thinks about, oh, you know it’s locking the machine up and you know now I’ve got to do backups, oh, I’ve got to pay to unlock the machines, oh, is this the only place the data lives…
Well, ransomware isn’t as often not just encrypting the data, it’s also stealing it. And so, this is one of those situations where the bad guys get to double monetize, right? They get they get money from the victim, and they get to sell the victims’ data even if they get that money.
So those are a lot of things that we need to have a perspective on in how we protect our environments.
But I want to shift gears just slightly here, so Ellen, I’m going to drag you into the conversation here. From a General Counsel’s perspective, what are some of the areas within IT security data privacy, et cetera, that concern you the most and how do your responsibilities overlap with that of the CIO, CISO and others?
Ellen McDonald: Sure, thanks for the question.
So, you know as a General Counsel you are often, as I am, also the Chief Compliance Officer. So clearly, it’s so important to be able to fulfill that role and to make sure that we’re getting ahead of what their requirements are with respect to the data that we have in house.
You know, we work with the CISO and the CIO to make sure that they’re doing the technology part of it but as a General Counsel, I need to be aware of the vast proliferation of different privacy laws, which, as we all know, has accelerated at a heart rate speed over the last couple of years. They are often conflicting. They are often differing. They have different definitions of what constitutes PII. They have different requirements for what kind of disclosure would have to be made if there were any kind of breach, so it’s super incumbent to work with the CISO and to work with the CIO to ensure that we know where that data is. We know where it’s being stored, we know who has access to it. We know what endpoints it’s on, so that if there were a breach, we would be able to quickly not only remediate, but be compliant with the disclosure requirements, which often can be extremely short turnaround time to be able to go to the appropriate authorities.
And obviously the states have also risen given the level of fines that are associated with these privacy laws. As everybody knows, GDPR has huge potential fines associated with it, so it’s definitely a larger area of concern for General Counsels.
This is also a greater and greater area of interest for boards. Our audit committee wants frequent readouts of where we stand with respect to these compliant efforts, and they want to know exactly what we’re doing to be proactive to get ahead of these risks and to make sure that if anything happened that we would be able to respond.
And, even setting aside the breach issue there are other regulatory schemes that people might need to comply with including PCI, HIPAA, Sox, so again we need to know where that data is in order to ensure that we are being compliant.
And the one other thing I would note too is it’s sort of a dual question because not only am I worried about, in my case, what Tanium is doing and how we’re compliant, but I as the General Counsel I am a consumer of law firm services. And so, they are my trusted advisors. I want to say between 30 and 40 outside counsel I rely on. Some are as big as Kirkland and some which are quite tiny, and I think increasingly what you’ll see is when General Counsels or internal departments are going out to RFP law firms we’re going to want to know how are you protecting our data? How are you making sure that if there were an issue, it could be remediated, and I think that’s going to be an increasing focus.
The other thing I would note too is, and I share this a bit, Tanium as a cyber security software company, has a high reputational risk that could be compromised if there were a breach and I put law firms kind of in that same bucket. You know, for better or for worse, we tend to put law firms on sort of a different standing. They have ethical requirements, and even although everybody in the ecosystem needs to be aware of these issues and get ahead of them, I think the reputational risk that might fall from a law firm having these issues can be more troublesome than it might be in other industries similar to a cyber security software company.
Shawn Surber: Excellent, thank you. We’ve got one last thing that you’ve just brought up that that sparked a thought in my mind. I wanted to expand the question to the whole group and then we’ll try and have some time to answer a few questions from the audience at large so those of you listening in here if you’ve got questions, please feel free to type them in the chat and we’ll try to address a couple of them at the end.
So Ellen, you brought up a lot of the regulations and concerns, and so with law firms, you have not only your own regulations and laws, you need to worry about, but the individual industry regulations of your clients, right? So essentially you need to know every law, know every regulation, and be prepared to react to it, right? So how is this affecting all of you from your perspective regarding breach notifications, disclosures and just overall protection of that data? Are you doing anything different in 2021 than you were in years past?
Ellen, you want to kick us off there?
Ellen McDonald: Yeah, well you know one thing. I would note and I like I mentioned earlier I’ve been a lawyer for a long time. But you know, when I came up the only things you were concerned about where like Dictaphones and maybe a Palm Pilot, right?
So, this is having the proliferation of devices and law firms also are increasingly expanding their services so we talked a lot about email, and that’s obviously a concern, but it’s not just email. I mean, I use one of my main corporate firms has a data room that we use when we do financing. So, it’s not only that we’re getting potentially protected and information through email, but literally I have all of my board materials out on a data room being hosted by my law firm. If that were to be compromised, the results could be catastrophic.
Arlan McMillan: Yeah, absolutely I think the only thing to add there everything is digitized. Everything is digitized, even the document that you’re scanning now, right? 100% right? Yeah, we used to do transcriptions off of old school magnetic tape. It is hard to hack into magnetic tape. Right, everything is digitized and to come full circle to the very first thing that I mentioned is it requires that mental shift, that transformation of understanding that the landscape within which we work has fundamentally changed and yet some practices haven’t.
So how do we go about and modernize those practices to be reflective of not only our modern technical environment, but also the modern threat landscape, and I think Daanish you were going to add on to that?
Daanish Samadmoten: Yeah, I mean I think as Ellen alluded to GDPR, has I think spurred a change globally in privacy law because it’s such a robust law with such significant fines that other jurisdictions which wanted to continue to do business with the EU.
There’s a adequacy requirement basically, which means that the EU has to sort of judge your certain infrastructure or privacy law governance in your country to be adequate for trade reasons, and they’ve given a certain deadline to certain countries by which they must be deemed to be adequate, and so I think that’s spurring a change globally about privacy law.
In Canada, there’s three or four laws that are either being introduced or completely overhauled, probably in the next year or two, and they will likely be somewhat similar to GDPR for the adequacy reasons I mentioned, but also just because people care more about privacy now than they did before.
With the prominence of Facebook in the news related to various privacy things. Google and the news related various privacy things. I think people in the general society care more about privacy now than they used to. And technology as Arlan said, is being used more and more commonly to store personal information. Whether that’s health information or legal, confidential information or anything, but also to use to just store sensitive information.
So, I think in in 2021 or over the last couple of years, I think organizations have had to think a lot more about their cyber security because of these laws. In Canada, we didn’t have a mandatory obligation to notify anybody until November of 2019 I believe, and so that’s only the last couple of years in which it’s been required to do that federally. And before that, there was a voluntary reporting mechanism, but people didn’t really do that very often. But now when it’s when it’s a mandatory thing, I think both law firms and just generally organizations are paying a lot more attention to cyber security and data privacy in general.
Ellen McDonald: Yeah. One other note I would just make too is when I was coming up there was nothing no such thing as a privacy attorney. That just wasn’t the role, and now my legal department is 10 attorneys, and we have a dedicated privacy attorney, and you need to because of all the proliferation. And not only are the laws constantly coming in and different jurisdictions to done at this point, we have different states that are pondering new laws right now, but then we have those of the world who challenge it and then throw everything into disarray again and you need to understand what that new landscape is.
Shawn Surber: Yeah, and it’s an interesting thing, especially about GDPR, because the requirements for serving up that data when you’ve got a subject access request are very, very short, right? You’ve got to have that data at your fingertips. And, in general, when you’re talking about like a retailer or any other kind of large organization, they’ve got most of that data in databases, and they can probably figure out where they have your data, where they’ve got your credit card, where they’ve got your address, that sort of stuff.
But with law firms, speaking to those scanned documents and all of the other electronic documents. You’re talking about millions of flat files where you could have people’s information. You need to be able to find that, immediately. And so, that kind of data archive / data scanning capabilities makes your jobs even harder.
Daanish Samadmoten: For sure, just on that last point, I’d really add quickly, litigation has increased significantly in this space over privacy and confidential information. Even ten years ago, I don’t think there was much litigation around it, but has increased a lot and to Ellen’s point about board starting to care about this there are even cases of against directors and officers in their in their capacity as directors and officers in relation to cyber security incidents. So, I think boards need to start caring about this more if they don’t already because litigation is snowballing both in North America but also in Europe and everywhere else.
Shawn Surber: Yep, absolutely. So, with just a few minutes left, I want to grab a couple of questions from the chat here.
We’ve done a lot of stressing of fundamental controls and patching and things like that. And so, I got a great question here that says “law firms often don’t have dedicated QA departments to automate testing after patches or rolled out, and so they’ve got all these different systems that need to be patched but pushing patches can also can often be slow because of that, you don’t want to risk your systems. And then when you do blow something up, you’ve got to roll it back”.
So, from a technology perspective, I think the most important thing there is you have to have the solutions that are effective – and that that you trust – and that can rapidly deploy and rapidly pull back patches. I mean, you need to be able to move quickly in those scenarios, but you also need to have some process in place to do rapid testing. And I do acknowledge that’s difficult, especially in IT-strapped organizations.
Arlan McMillan: I can share, Shawn, all of those tools have to work in a distributed environment. And when you have people at home.
Shawn Surber: Carlo, I wanted to drag you back into the conversation here. We haven’t heard from you in a little while, so with the customers that you’ve worked with, the incidents that you’ve worked on, do you have anything additional you’d like to add to that?
Carlo Lakay: So, when it comes to patching, understand that in complex organizations just pushing a patch can break a lot of stuff. So, you have to understand that that patching remediation it’s an important part of your vulnerability management lifecycle. You need visibility of the vulnerabilities. You need visibility of the systems you need to patch. But that visibility also includes which systems might be critical, might be sensitive to rolling out that patch, and what you then need to do is apply mitigations to those systems that might not be able to be patched very readily so additional layers of security need to be placed around those systems need to protect them more. But you need to know what those systems are so it’s all part of a cyber and information security ecosystem. A life cycle of interconnected parts that you need to consider when securing your environment and what we’re talking about is some of the basics, like patching, where that’s possible and easy do that because those are the low hanging fruit for threat actors.
But in those instances where you can’t necessarily patch, understand what the risk is associated with patch, weigh it up with not patching that system. What happens if someone gets access to it? And, what else can you do to secure that system to make it a less likely target for threat actor?
Shawn Surber: So simply saying not only do you need to know what you have in your environment, you need to know what’s on it, you need to know who’s using it, you need to know where the data is, because that’s absolutely critical. You need to be able to identify the risk that each individual machine provides to your environment, and then ensure that you’ve got the mitigating controls, whether they’re isolating that off in its own micro segmented environment as we’ve seen a lot of customers do when they’re still running Windows 2003 servers and that sort of stuff.
They say, “we’re going to have to put these over here by themselves because we’re done with those” and they’re still vulnerable, so that’s that that’s absolutely important.
Last question, and then we’re going to be out of time, and I guarantee you we do not have time to address this in in any kind of completeness, but identity and access management as a way to keep threat actors out of your IT environments and your sensitive data and the whole concept of “zero trust”. How do we get to zero trust where we are identifying the person and we’re identifying the device and we’re identifying the resources they’re trying to access and ensuring that all of those things are allowed?
I’m going to throw that one open to anybody who wants to start.
Carlo Lakay: I could give some insight into that. Identity and access management on its own is a complex beast. You’ve got disparate systems all over the organization from your email, from your document storage or document management systems to third party systems, and you need to understand who’s accessing those systems? What’s in those systems? Do the right people have the right access to the right data within those systems? Various complex network of rights and privileges or roles that need to be assigned to those users.
So, IDAM is a critical component of any information security management system. It needs to be in place, but it’s incredibly complex for many organizations to get to wrap their heads around. So, you know a recommendation is like we said earlier, what are the basics? What can you do to protect your critical data? Know where that data is? Know who has access to it and limit that access and then work your way down from there.
But yeah, it is a complex problem that we don’t have sufficient time to go into detail here today.
Shawn Surber: Yeah, it’s a complex problem and it’s difficult to implement so systems either get implemented poorly or not at all, right?
Aniket Bhardwaj: Exactly and even for organizations where we do see that implemented quite successfully, in their opinion, we’re still seeing cases where accounts were compromised.
So, I think one of the recommendations as Arlan alluded to earlier, and Daanish as well, is testing what you have and why don’t we have someone in house playing the role of a threat actor really testing. Do I see what’s my attack playground internally looks like?
One of the open-source tools that we generally leverage, and we see in use out there within the industry is Bloodhound. I think they are commercializing that as well, if I’m not mistaken, but it just tests the attack path for User A, User B, what different application system he or she has access to? Where all that user can navigate what all they can compromise, and then I think to kind of like Carlo’s point then really testing the effectiveness of your IDAM solutions by doing such activities.
I think it’s just important to remember that you can have, as I mentioned first line in my in my talk is you can have all kinds of fancy tools in your environment, but if you are not testing the effectiveness of what you have and what you know, that’s of no use because remember the threat actors are actively targeting and trying to get in.
Shawn Surber: Yep, absolutely we are at the top of the hour. It just passed. So, I want to thank everybody for attending today. Like to extend a special thanks to all of our panelists. Really great discussion around this subject today and I want to call out one last thing as we sign off that we kicked off by talking about past breaches and what’s caused them? What’s had that impact? And we talked about how to mitigate those things? How to put effective controls, effective policies and such in place?
And, if you go and you look and you match those things up, I think you’ll see that a lot of these breaches that we’ve seen in the past that have had worldwide impact are eminently preventable.
So, it’s time that we all as professionals, we’ve got to really step up the game and keep up with those who are trying to steal from us.
So, thank you everyone. Have a wonderful day and we’ll see you all again soon.